Version 1.1 dated 5 May 2026 (replaces version of 4 June 2025).
This is the English translation of the Polish privacy policy. In case of any discrepancy between the language versions, the Polish version prevails as the binding text.
This Policy sets out the rules for processing personal data of persons using the website operated at inteliq.pl (hereinafter: the „Website"), candidates participating in recruitment processes conducted by Inteliq Group sp. z o.o., clients using the Controller's services, and other persons whose data may be processed in connection with the conducted activity. The Policy has been prepared in fulfilment of the information obligation referred to in Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter: „GDPR" or the „Regulation"). Matters not regulated in this Policy are governed by the GDPR and by the Polish Personal Data Protection Act of 10 May 2018.
The controller of personal data is Inteliq Group spółka z ograniczoną odpowiedzialnością (a Polish limited liability company) with its registered seat in Warsaw at ul. Dembego 10/181, 02‑796 Warsaw, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the Capital City of Warsaw under KRS number 0000969100, NIP 9512540135, REGON 522014999 (hereinafter: the „Controller").
The Controller's operational office is located in Warsaw at ul. Marszałkowska 89, 00‑693 Warsaw.
Correspondence to the Controller in matters covered by this Policy is accepted at: [email protected] (general matters) and [email protected] (data protection matters).
The Controller has designated a Data Protection Officer (DPO) on the basis of Article 37(1)(c) GDPR, given that the Controller's core activities consist of large‑scale processing of special categories of personal data within the meaning of Article 9(1) GDPR (data which may appear in candidates' application documents). The DPO may be contacted in all matters relating to the processing of personal data and the exercise of rights under the GDPR. Contact: [email protected].
The scope of data depends on the role in which a person uses the Website or interacts with the Controller.
For Candidates (persons submitting a CV via the Website's form, taking part in recruitment processes conducted directly or under executive search engagements), the following data are processed in particular: name and surname, e‑mail address, telephone number, location, data contained in the submitted CV (employment history, education, competencies), information on financial expectations and preferred form of cooperation, willingness to work remotely or relocate, as well as links to publicly available professional profiles (where provided), notes made by the Controller during interviews and results of competency tests.
For Clients (entrepreneurs sending enquiries to the Controller or using recruitment, advisory, employer branding services), the following data are processed: company data (name, tax identification number, registered address) and the data of the representative or person authorised to maintain contact (name, surname, business e‑mail address, telephone number, position), as well as the content of business correspondence and documentation exchanged in the course of cooperation.
For Users browsing the Website, processing covers diagnostic data, in particular IP address, session identifier and browser information, as well as, subject to consent, data collected via Google Analytics 4 (client identifier, browsing behaviour); details of cookies are governed by the separate Cookies Policy.
For event participants (conferences, training, webinars organised by the Controller), the following data are processed: name and surname, e‑mail address, organisation name and technical data related to participation in the event.
The Controller does not request that Candidates provide special categories of data, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, data concerning health or sexual orientation. Including such information in application documents is neither required nor expected. If such data nevertheless appear in a CV or other document submitted by a Candidate, the Controller deletes them without undue delay, unless the Candidate has expressly consented to their processing for recruitment purposes (Article 9(2)(a) GDPR). Such consent remains freely revocable.
The Controller processes personal data obtained:
Whenever data are obtained from a source other than the data subject, the Controller fulfils the information obligation under Article 14 GDPR without undue delay, no later than within one month of obtaining the data.
| Purpose of processing | Legal basis | Retention period |
|---|---|---|
| Conducting a recruitment process for the indicated employer (client) | Article 6(1)(b) and (f) GDPR; Article 221 § 1 of the Polish Labour Code | for the duration of the recruitment and, after its completion, no longer than 6 months |
| Inclusion of the Candidate in the Controller's talent pool and sending information about future opportunities | Article 6(1)(a) GDPR (consent) | no longer than 24 months from the Candidate's last activity; the period may be extended on the basis of renewed consent |
| Provision of recruitment, advisory and employer branding services to Clients | Article 6(1)(b) GDPR (contract) | for the duration of the contract and, after its termination, for the period applicable for the pursuit of claims arising from the contract |
| Conducting business correspondence and responding to enquiries submitted via the Website | Article 6(1)(f) GDPR (legitimate interest of the Controller in maintaining business relationships) | no longer than 24 months from the last activity in the correspondence, subject to longer periods arising from a concluded contract |
| Marketing of the Controller's own services, including sending commercial information by e‑mail | Article 6(1)(a) GDPR (consent) in conjunction with Article 10 of the Polish Act on Provision of Electronic Services and Article 172 of the Polish Telecommunications Law | until consent is withdrawn |
| Measurement of traffic and analytics of Website usage (Google Analytics 4) | Article 6(1)(a) GDPR (User's consent given via the cookies banner) | in accordance with Google Analytics 4 settings: up to 14 months |
| Ensuring the security of the Website, preventing abuse and protecting against unlawful actions of third parties | Article 6(1)(f) GDPR (legitimate interest of the Controller) | technical logs no longer than 12 months |
| Fulfilment of accounting, tax and archival obligations | Article 6(1)(c) GDPR in conjunction with Article 74(2) of the Polish Accounting Act | 5 years counted from the beginning of the year following the financial year |
| Establishment, exercise and defence of legal claims | Article 6(1)(f) GDPR | until the expiry of the limitation period for claims |
The Controller remains ready to demonstrate compliance with the conditions of processing in accordance with the accountability principle expressed in Article 5(2) GDPR.
Personal data may be entrusted to processors acting on behalf of the Controller, in particular:
Candidate data are additionally shared with the Controller's Clients (employers) for whom recruitment processes are conducted; sharing takes place only to the extent necessary for the recruitment process and in a manner agreed with the Candidate.
The Controller does not use advertising pixels such as Meta Pixel, LinkedIn Insight Tag or other programmatic advertising tools on the Website.
State authorities, including courts and law‑enforcement agencies, receive data only to the extent required by law.
With each processor acting on behalf of the Controller, contracts compliant with the requirements of Article 28 GDPR are concluded.
Some of the providers referred to in Section 6 are based in third countries. Transfers of data to such countries take place under the Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR) and, in respect of entities participating in the EU–US Data Privacy Framework, also on the basis of the adequacy decision. In particular:
Upon the request of a data subject, the Controller provides a copy of the safeguards applied.
The Controller does not take decisions in respect of data subjects based solely on automated processing, including profiling, in a way that produces legal effects concerning them or significantly affects them within the meaning of Article 22(1) GDPR. Decisions on inviting a Candidate to a further stage of recruitment and on their employment remain in each case decisions of natural persons on the side of the Client or the Controller's consultant.
In executive‑search recruitment processes, the Controller may use tools that assist the identification of candidates (e.g. keyword search in publicly available professional profiles); the result of such a search constitutes only support for the consultant and does not replace a substantive assessment of a candidacy.
To the extent provided by the GDPR, a data subject is entitled to:
The above rights are exercised upon request directed to [email protected] or by post to the Controller's registered address. A response is provided within one month of receiving the request, subject to the possibility of extending this period by a further two months in cases referred to in Article 12(3) GDPR.
Without prejudice to the rights set out in Section 9, a data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (Polish DPA, ul. Stawki 2, 00‑193 Warsaw, uodo.gov.pl) if they consider that the processing of their data infringes the data protection legislation.
With regard to data security, the Controller has implemented technical and organisational measures appropriate to the risk referred to in Article 32 GDPR, in particular: encryption of connections using the current TLS protocol, encryption of application files at rest, role‑based access control, regular creation and testing of backup copies, and limitation of the number of requests directed to public forms. These measures are periodically verified and adjusted to the changing risk.
The Controller applies a strong‑password policy, session‑time restrictions and multi‑factor authentication for accounts with elevated privileges.
In the event of a personal data breach, the Controller acts in accordance with Articles 33 and 34 GDPR. Breaches likely to result in a risk to the rights or freedoms of natural persons are notified to the President of the Personal Data Protection Office no later than 72 hours after their detection. If a breach is likely to result in a high risk to the rights or freedoms of natural persons, the Controller also notifies the data subjects in a manner enabling immediate remedial action. The Controller maintains an internal breach register.
The rules for the use of cookies and similar technologies are described in a separate document: Cookies Policy. In particular, the Cookies Policy describes the use of Google Analytics 4 and the consent mechanism (Google Consent Mode v2) introduced on the Website on 5 May 2026.
The Website is not directed at persons under 16 years of age. The Controller does not knowingly process personal data of children. If it is discovered that data of a child have been provided without the consent of a legal representative, the Controller deletes them without undue delay.
The Policy may be amended, in particular due to changes in legislation, the scope of services provided or the tools used. The Controller informs data subjects of any material amendment to the Policy at least 14 days in advance, by e‑mail (with respect to persons maintaining an active relationship with the Controller) or by a notice displayed on the Website. The current version of the Policy remains continuously available at https://inteliq.pl/en/privacy-policy.html.